Deny Admin role not usable?

unitrium · October 14, 2025, 12:04pm

Hi,

I’m trying to create a deny policy to protect specific datasets on bigquery marked with a tag.

However to create deny policies I need iam.denypolicies.createavailable only with the Deny Admin role.
However when I try to give myself the role it doesn’t show up. The role is enabled normally and I have the Security Admin role which allows me to setup all other policies.
Anyone else experiencing this and have a way to get around this issue ?

LeoK · October 16, 2025, 12:07pm

Hello @unitrium,

From your screenshot, it seems that you’re not allowed to edit the custom Role since the Edit Role button is disabled. I think that you may need to have roles/iam.roleAdmin as mentioned here. This role provides access to all custom roles in the project.

Security Admin seems limited concerning custom roles.

Topic		Replies	Views
Custom Role definition mismatch Apigee api-runtime	3	4	February 28, 2019
Custom role for Reporting Apigee api-runtime	3	7	November 7, 2019
How to Solve the Access Denies for Google BigQuery in our project Cloud Foundations & Onboarding cloud-error-reporting	1	404	October 19, 2022

Deny Admin role not usable?

AI Suggested topics